The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.

Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.

As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."

The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.

So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.

The reality of governing

It doesn't matter if people are actually safer. It is all about creating the illusion of safety.

Getting rid of child porn, the war on terror, the war on piracy, the war on drugs, the war on cyber crime. Nothing that has been done so far has been effective in actually stopping those things but politicians look good because they are seen to be doing something. The majority of the public are too easily manipulated.

Re: The reality of governing

Actually, I think it's about the opposite: making us feel like we're in danger (and only the decreased liberty can save us). The TSA is the best example of this, but I think the psychology goes like this: the more the public sees that they are paying a price to be safe, the greater the underlying sense that if they're being asked to pay a price, there may be an underlying danger that is about equally strong.

A little reverse psychology.

I think this is intentional. Fear is the most dangerous emotion humans have, and amongst its many pernicious effects are two that are particularly useful to would-be tyrants: fear makes people compliant and unthinking.

what seems to be happening here is exactly what i remember seeing after the worst 'terrorist attack' ever. that terrorists wont have to do anything because the 'defenders against terrorism will do more harm than the terrorists themselves could ever hope to do'. those words seem to have a lot of truth attached to them. what a shame.

Why not follow private sector's lead?

Instead of spending millions on in-house exploit hunting, why not follow Google's lead and offer bounties for discovering exploits which will then be put in a public database? Economically, if the value of the bounty is greater than the value of using or selling the exploit (monetarily or otherwise) then hackers will be happy to collect the bounty. And since multiple hackers can find the same exploit, there will be competition to be the first and/or the lowest bidder.

"cyber Pearl Harbor" might not be as bad a name for what is coming as people think....

Japan bombed Pearl Harbor as a preemptive strike to try and keep the USA out of WWII. This of course was a gross miscalculation that they later regretted.

We now have the US government looking to make preemptive strikes against the internet as a whole..... Question is, will they realize before it is too late that it is them in the bombers launching the attack?

Re: Why not follow private sector's lead?

The government is already following the private sector's lead. Just not the "white hat" side of it. Sure, they're paying bounties for exploits - but they don't end up in public databases, they are not reported to the software company, and are not fixed or patched. This isn't new. Remember the HBGary hack? Similar presentation slides were found boasting of knowledge of exploits that were not public knowledge and able to be used for offensive purposes.

IF gov't would save us from Microsoft's exploitable mono-culture,

this'd be automatically nearly wiped out. -- Of course Apple and Google aren't real alternatives. Not only do they provide backdoors for the gov't, but even outside that, just look at how fast Google's latest Precious, Glass, was broken into.

Back in the halcyon 80's, the notion was that computers would run so fast that software could practically be write-once-run-anywhere, so having multiple OSs wouldn't matter. Somehow Microsoft stole that dream, along with nearly all others; now they've delivered a massive OS with built-in spyware, plus DRM (of course that doesn't work, right?), proprietary lock-ins, and a toy UI that no one wants and has to be fixed.

Re: IF gov't would save us from Microsoft's exploitable mono-culture,

Of course the MSFT mono-culture has something to do with it. Which Federal Judge oversaw the MSFT anti-trust settlement? Collen Kollar-Kotelly. Which start chamber was Judge Kollar-Kotelly part of? That's right, FISA! (http://en.wikipedia.org/wiki/Colleen_Kollar-Kotelly). Internal collusion anyone?

After the Jane Harman scandal (http://www.salon.com/2009/04/20/harman/) we have to assume that at least some members of the US Congress are, um, "in debt" to the US intelligence community. Why not Federal Judges, too? Sure, it's a high-stakes game, but it's one that J. Edgar Hoover perfected a long time ago.

That's the strategy US Govt. has adopted all-along - supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it's not in the best interest of the public).

Infact the govt. is behaving just like a parasite - adapting itself in such a way that the medicines (i.e. people with an ability to think deeply, rather unfortunately at present far outnumbered by those who can't) do not have their desired effects and, in the worst case scenario, these medicines themselves are treated as something unwanted and, ultimately, flushed out of the system (a highly efficient way to survive indeed!).

Re: IF gov't would save us from Microsoft's exploitable mono-culture,

The US has been at war with all sorts of real, semi-real and imaginary enemies since 1700 something. I think we need to give these politicians some GIJoe play kits that include some pseudo cyber attackers so they can spend their time less productively. And by productively I mean screwing up people and being morons.

What I don't get is the whole "If we change as a society, if we give up what makes us a free country, the terrorists have won" speech they all gave us. Exactly what hasn't changed for the worse? We have given up so many freedoms in the name of security that I really don't see how the terrorists didn't win. They succeeded in making the whole free world worse, but the free world leaders are to blame, not the terrorists or hackers or whatever the buzzword for "bad guy" is nowadays.

Re:

That's the strategy US Govt. has adopted all-along - supporting the bad people (by terming them as good, obviously) to reach their desired (usually nefarious) goals and not leaving any stone unturned to silence those who are vigilant enough to say exactly what they see (that it's not in the best interest of the public).

I continue to have problems understanding how "government" is separate from private companies. If you remove government and allow private companies to operate without any constraints, seems like you would get more of the same or worse.

Here's what that article said:

Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren't connected to anything.

So private contractors finding flaws and developing ways to exploit them would likely continue. They would just find people other than government to sell their info and programs to.

Re:

Mr. President,
This is a very real threat against our country and freedom as demonstrated by these GIJoes. As you can see a member of the terrorist organization Cobra is slipping by these strategically placed Joes undetected with a AA Battery Bomb.
Here you can see the effects of the AA Battery Bomb replicated by smashing this Lego city with a hammer. The destruction is incalculable.
We must act now before it is too late.

Re: The reality of governing

well, i think you know better...
that *is* the superficial takeaway, but the REAL goal is to use such FUD to generate monies for their cronies, who then give them 'donations' (read: legalized bribes), who then pass laws to benefit their cronies, who then donate more money to the compliant kongresskritters, who pass more laws to benefit their cronies...
repeat as necessary...

the bullshit concern for the merikan people is mere window dressing, con artist patter to separate us from our money, honey...

Re: The reality of governing

I agree with what you say, Obama (in order to look good) has made another bill in which the Authorities can Look in to our emails (source: http://goo.gl/K7DKy). Whereas they should be doing about the real issues which you have highlighted instead of harassing the general public!